Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 24067 invoked from network); 11 Jan 2008 21:20:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Jan 2008 21:20:27 -0000 Received: (qmail 62538 invoked by uid 500); 11 Jan 2008 21:20:17 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 62488 invoked by uid 500); 11 Jan 2008 21:20:17 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 62479 invoked by uid 99); 11 Jan 2008 21:20:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jan 2008 13:20:17 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [17.148.16.77] (HELO smtpoutm.mac.com) (17.148.16.77) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jan 2008 21:19:52 +0000 Received: from mac.com (asmtp009-s [10.150.69.72]) by smtpoutm.mac.com (Xserve/smtpout014/MantshX 4.0) with ESMTP id m0BLJtBu016037; Fri, 11 Jan 2008 13:19:55 -0800 (PST) Received: from [172.18.1.129] ([38.97.99.26]) (authenticated bits=0) by mac.com (Xserve/asmtp009/MantshX 4.0) with ESMTP id m0BLJqY8025761 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 11 Jan 2008 13:19:54 -0800 (PST) From: Andrew Jaquith To: jspwiki-dev@incubator.apache.org In-Reply-To: <175729205.20080111215814@holeczek.de> Subject: Re: page ACL issue X-Priority: 3 (Normal) References: <232297082.20080111212051@holeczek.de> <20080111204227.GA6694@samad.com.au> <175729205.20080111215814@holeczek.de> Message-Id: <730F6679-CECE-4749-A6C2-C3BA9A561453@mac.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Fri, 11 Jan 2008 16:19:52 -0500 Cc: Florian Holeczek X-Mailer: Apple Mail (2.915) X-Virus-Checked: Checked by ClamAV on apache.org This is correct behavior. When you create an ACL for a page, it replaces the default security policy. So, if your jspwiki.policy says that anonymous users can view page Foo (or "*" for all pages), adding an ACL of [{ALLOW edit florian}] means that only Florian can edit Foo, and nobody else has any other privileges. The reason the system works this way is quite simple. For example, if you wanted to prevent all ordinary users from viewing a page called "Payroll," you'd add an ACL that allowed the "Finance" group to edit it. But you wouldn't want the default "anonymous view" policy to be added on top of that ACL. We probably haven't been as clear about this as we could have been... Andrew On Jan 11, 2008, at 3:58 PM, Florian Holeczek wrote: >> maybe add a >> [{ALLOW view anonymous}] - to allow anonymous (I think then >> everyone to view) >>> [{ALLOW edit florian}] >>> Florian wrote this... > > Yes, that's fine (with Anonymous, case sensitive). I already knew this > before, though :-) > > Maybe it's an "undocumented feature" that once a policy rule is > given, the > default policy rules are deactivated completely? > > Regards, > Florian >